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1  Summary  of  Work  Accomplished 


Under  the  support  of  this  contract,  SRI  International  (SRI)  has  extended  a  deductive 
approach  to  the  synthesis  of  programs  to  the  derivation  of  imperative  programs  and 
plans.  An  interactive  implementation  of  the  technique  has  been  developed.  The 
approach  has  also  been  applied  to  the  derivation  of  programs  for  database  updating. 
A  book  describing  the  deductive  approach  has  been  completed. 

1.1  Background 

For  several  years  we  have  been  working  (largely  under  OXR  and  NSF  support)  on  the 
automatic  synthesis  of  computer  programs.  This  is  the  task  of  deriving  a  program  to 
meet  the  conditions  of  a  given  specification.  We  have  settled  on  a  deductive  approach 
[MWSO]  to  this  problem,  according  to  which  programming  is  regarded  as  a  task  in 
deduction,  or  theorem  proving.  To  construct  a  program,  we  prove  the  existence  of 
a  data  object  (e.g.,  a  number  or  list)  meeting  the  specified  conditions.  -  The  proof 
is  restricted  to  be  sufficiently  constructive  to  indicate  a  computational  method  (or 
algorithm)  for  finding  the  desired  object.  This  method  becomes  the  basis  for  the 
program  that  we  then  extract  from  the  proof. 

The  theorem  is  proved  in  a  background  theory,  which  provides  the  properties  of 
the  data  objects  as  well  as  the  constructs  available  in  the  target  programming  lan¬ 
guage.  Programs  constructed  in  this  way  are  guaranteed  to  meet  their  specifications; 
the  derivation  constitutes  a  formal  verification  of  the  program.  The  structure  of 
the  proof  is  reflected  in  the  structure  of  the  corresponding  extracted  program.  In 
particular,  case  analysis  in  the  proof  produces  a  conditional  test  in  the  program; 
mathematical  induction  in  the  proof  produces  a  recursive  call  in  the  program;  and 
the  use  of  subsidiary  theorems,  or  lemmas,  in  the  proof  produces  a  procedure,  or 
subprogram,  of  the  extracted  program. 

We  had  difficulty  finding  an  existing  theorem-proving  system  capable  of  carrying 
out  the  proofs  of  the  theorems  required.  The  Boyer-Moore  theorem  prover  [BM79], 
for  example,  does  not  deal  with  full  quantification  (universal  and  existential)  in  the 
theorem  to  be  proved;  this  is  a  serious  obstacle  to  us  because  our  synthesis  theorems 
always  have  both  quantifiers.  The  Argonne  theorem  prover  [BLMOS6],  on  the  other 
hand,  does  not  deal  with  mathematical  induction,  which  is  important  to  us  for  intro¬ 
ducing  recursive  calls.  Nuprl  (C086]  applies  to  a  purely  constructive  logic;  we  deal 
with  a  classical  logic  restricted  only  enough  to  allow  us  to  extract  programs  from 
proofs. 
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1.2  Deductive  Tableaux 


We  have  developed  a  theorem-proving  framework  particularly  well  suited  to  the  pro¬ 
gram  synthesis  application.  In  this  framework,  we  manipulate  a  deductive  tableau 
of  assertions  and  goals,  declarative  sentences  each  associated  with  a  term,  called  its 
output  entry.  While  the  assertions  and  goals  of  the  tableau  are  all  that  we  need  for  a 
Du  re  theorem-proving  task,  the  output  entries  are  required  for  extracting  a  program 
from  a  proof. 

The  deduction  rules  of  the  framework  introduce  new  assertions  and  goals  with 
associated  output  entries,  without  changing  the  meaning  of  the  tableau.  These  rules 
incorporate  some  of  the  most  prominent  theorem-proving  techniques,  including  (non- 
clausal)  resolution,  mathematical  induction,  and  term  rewriting. 


1.3  Powerful  Deduction  Rules 

In  our  design  of  the  deductive-tableau  system,  we  have  emphasized  the  development 
of  powerful  deduction  rules,  which  may  achieve  in  a  single  step  what  would  require 
many  smaller  steps  in  a  conventional  formal  system.  Our  deduction  steps  resemble 
the  intuitive  steps  in  an  informal  argument.  Our  proofs  are  considerably  shorter  than 
conventional  formal  proofs,  and  the  search  space  is  correspondingly  contracted. 

Part  of  this  effort  is  to  incorporate  properties  of  the  background  theory  into  the  de¬ 
duction  rules,  rather  than  representing  them  declaratively  as  assertions.  Certain  prop¬ 
erties,  when  expressed  declaratively,  tend  to  spawn  numerous  logical  consequences 
that,  while  sound,  have  little  bearing  on  the  problem  at  hand.  We  prefer  to  incor¬ 
porate  such  properties  into  the  deduction  rules,  so  they  may  be  invoked  only  when 
appropriate. 

A  special  unification  algorithm  is  used  by  several  deduction  rules,  to  incorpo¬ 
rate  equational  properties  (see  Siekmann  [SiS9] )  and  sort  properties  (sec  Meseguer, 
Goguen,  and  Srnolka  [MGS]).  Properties  of  ordering  relations,  such  as  transitivity  and 
monotonicity,  are  built  into  our  own  special  relation  rules  [MWS6],  Other  properties 
may  be  built  into  existing  deduction  rules  using  theory  attachments,  as  in  Shekel's 
[StS5]  theory  resolution  rule. 

Within  the  deductive-tableau  framework,  we  and  our  associates  have  worked  out 
the  derivations  of  many  programs  in  numerical  [MWS7a]  and  list-processing  ([TrS9], 
[Na89])  domains.  We  have  at  times  derived  programs  we  would  h»vc  been  unlikely 
to  discover  by  conventional  methods.  Most  of  this  work  has  been  done  by  hand, 
to  test  the  adequacy  of  our  deductive  system.  In  the  past  year,  a  good  deal  of  our 
effort  (with  the  help  of  some  of  our  colleagues  and  students)  has  been  devoted  to  the 
implementation  of  the  method.  Our  first  implementation  has  been  interactive. 
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1.4  Interactive  Implementation 

The  user  of  our  system  provides  a  specification  of  the  desired  program  and  any  prop¬ 
erties  ol  the  background  theory  that  are  not  already  familiar  to  the  system.  He  or 
she  must  choose  among  a  selection  of  legal  alternatives  presented  by  the  system  on 
a  screen.  The  system  displays  the  consequences  of  the  user's  choice  and  presents  a 
further  selection  of  alternatives.  When  the  proof  is  complete,  the  final  program  is 
extracted  and  may  be  used  as  a  subprogram  in  the  derivation  of  future  programs. 

Although  poor  choices  on  the  part  of  the  user  may  postpone  the  derivation  of 
the  final  program,  it  can  never  cause  an  erroneous  program  to  be  constructed.  The 
system  can  only  produce  programs  that  meet  the  user’s  specifications. 

The  system  has  been  used  for  both  research  and  educational  purposes. 

1.5  Applicative  vs.  Imperative  Programs 

The  deductive-tableau  framework  was  originally  introduced  for  the  synthesis  of  ap¬ 
plicative  programs,  which  return  an  output  but  do  not  produce  any  side  effects.  The 
major  emphasis  of  the  ONR  project  has  been  the  extension  of  the  deductive  approach 
to  the  synthesis  of  imperative  programs,  which  may  alter  data  structures  and  produce 
other  side  effects  as  part  of  their  intended  behavior.  This  extension  has  then  been 
applied  to  the  related  problem  of  planning.  We  shall  first  describe  how  the  deductive 
approach  has  been  extended  to  imperative  programs;  we  then  describe  the  planning 
application. 


1.6  The  Trouble  with  Situatioral  Logic 

We  first  attempted  to  use  a  situational  logic,  a  theory  in  which  the  situation,  a 
state  of  the  computation,  is  an  object  that  may  be  treated  in  the  same  way  as  the 
data  objects  of  an  applicative  program.  Situational  logic  was  proposed  by  McCarthy 
[Mc6S];  a  variant  was  used  by  Green  et  a!  [Gr69].  In  constructing  an  applicative 
program,  we  proved  the  existence  of  a  suitable  output  data  object;  in  cr  rotructing  an 
imperative  program,  we  first  attempted  to  prove  instead  the  existence  of  a  suitable 
final  state.  In  other  words,  the  state  was  treated  as  just  another  data  object  that  the 
program  could  manipulate.  Operations  had  as  arguments  severed  data  objects  and  a 
state.  For  example,  square{x,s)  might  denote  the  state  that  results  when  x  was  set 
to  .r2  in  state  s,  and  positive(x,  s)  might  test  whether  a-  h  positive  in  state  s. 

This  representation  seemed  to  work  in  the  synthesis  of  straight-line  imperative 
programs  (with  no  conditional  tests),  but  it  was  found  to  break  down  in  the  synthesis 
of  conditional  imperative  programs.  In  an  applicative  program,  it  is  quite  possible  to 
apply  two  different  operations  to  the  same  data  object;  for  example,  we  can  compute 
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both  a  -fi  1  and  a  —  1.  But  in  an  imperative  program,  we  cannot  apply  two  opera¬ 
tions  in  the  same  state.  Tor  example,  once  we  have  set  x  to  x2  in  state  .s.  we  have 
destroyed  state  s;  we  can  no  longer  test  whether  x  was  positive  in  state  s.  Unfor¬ 
tunately,  programs  constructed  by  naive  application  of  situational  logic  do  apply 
many  operations  in  the  same  state:  the  expressions  square(x ,  s)  and  positiv e(x,s) 
may  both  occur  in  the  same  program.  This  is  possible  because,  in  this  approach, 
states  such  as  s  occur  explicitly  in  the  program  we  extract. 


1.7  Fluent  Theory 

In  circumventing  this  problem,  we  have  been  led  to  devise  fluent  theory,  a  situational 
logic  in  which  a  class  of  operations,  called  fluents,  are  explicit  objects.  Let  us  first 
be  more  precise  about  fluent  theory;  later,  we  shall  show  why  this  circumvents  the 
problem  with  conventional  situational  logic. 

Fluents  are  defined  only  in  terms  of  what  they  do.  Executing  a  fluent  e  in  state 
5  returns  a  data  object  ,s  :  c  and  produces  a  new  state  s ;  e. 

In  specifying  an  imperative  program,  we  formulate  a  relation 

Q[d0,s0.df.Sf} 

between  the  input  object  dQ .  the  initial  state  s0,  the  output  object  dj ,  and  the  final 
state  Sf.  To  construct  a  program  to  meet  this  specification,  we  do  not  merely  prove 
the  existence  of  an  output  object  and  final  state  satisfying  the  specified  conditions. 
We  prove  the  existence  of  a  fluent  t  such  that  executing  e  in  the  initial  state  <s„ 
will  return  an  output  object  sv  :  e  and  produce  a  final  state  s0 .;  e  satisfying  those 
conditions.  In  other  words,  we  prove  the  theorem 

(Vr/o)(3e)(Vs0)Q[(/0)  s0,  s0  :e,s0:  e]. 

The  proof  is  again  restricted  to  be  sufficiently  constructive  to  indicate  a  method  for 
finding  the  desired  fluent  e,  and  that  method  becomes  the  basis  for  the  program  to 
compute  e,  which  we  extract  from  the  proof. 

In  this  approach,  the  data  object  (l0  is  regarded  as  an  input  to  the  extracted 
program,  but  the  initial  state  s0  is  not.  States  do  not  occur  explicitly  in  the  program 
at  all;  the  same  fluent  is  supposed  to  work  correctly  in  any  initial  state.  For  this 
reason,  the  program  never  performs  two  operations  in  the  same  state. 

The  same  deductive-tableau  framework  we  have  used  to  derive  applicative  pro¬ 
grams  may  now  be  applied  to  derive  imperative  programs,  provided  fluent  theory  is 
part  of  the  background  theory.  We  have  applied  this  approach  to  the  derivation  of 
several  imperative  list-processing  programs  [MWS7b],  such  as  imperative  list  concate¬ 
nation  and  reversal,  that  alter  the  pointer  structure  of  their  arguments  in  computing 
the  desired  results. 
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1.8  Planning  and  Database  Applications 


The  close  analogy  between  planning  and  imperative  program  synthesis  has  long  been 
recognized.  We  may  regard  the  world  as  a  rather  large  data  structure,  and  the  actions 
in  a  plan  as  the  operations  of  an  imperative  program.  Constructing  a  plan  to  achieve 
a  given  goal  may  then  be  treated  as  a  problem  of  constructing  a  program  to  meet  a 
given  specification. 

Exploiting  this  analogy,  we  have  applied  our  fluent  theory  to  the  solution  of  robotic 
and  commonsense  planning  problems  [MWSTc],  This  approach  gives  us  clean  solu¬ 
tions  to  some  somewhat  troublesome  problems. 

Most  work  in  planning  has  been  devoted  to  the  construction  of  straight-line  plans; 
it  has  avoided  the  formation  of  conditional  tests  and  of  any  sort  of  repetition  or 
looping.  These  constructs  give  the  planning  system  a  mechanism  for  dealing  with 
uncertainty.  Although  it  is  generally  acknowledged  that  conditionals  and  loops  are 
important,  there  is  a  tendency  for  researchers  to  postpone  considering  them. 

In  programming  (as  well  as  planning)  applications,  there  is  little  justification  for 
concentrating  on  straight-line  programs.  We  chose  a  deductive  approach  over  a  purely 
transformational  approach  largely  because  of  the  relative  simplicity  of  the  deductive 
methods  for  conditional  formation  (via  case  analysis)  and  recursive  loop  formation 
(via  mathematical  induction).  These  methods  carry  over  directly  into  the  planning 
domain. 

Some  problems  that  are  resolved  simply  in  a  deductive  framework  involve  taking 
into  account  the  action  of  the  agent.  Certain  actions  (e.g.,  getting  a  roadmap)  must 
be  inserted  into  a  plan  simply  for  the  purpose  of  acquiring  information.  We  have 
found  that  the  same  notion  of  “sufficient  constructiveness’'  we  use  to  ensure  that  the 
programs  we  extract  from  proofs  are  executable  may  also  be  used  to  ensure  that  the 
agent  has  sufficient  knowledge  to  follow  the  extracted  plan. 

Another  application  we  have  investigated  is  database  management.  A  database 
may  be  regarded  as  a  sort  of  world  model.  The  problem  of  updating  a  world  model 
while  maintaining  given  constraints  is  a  typical  planning  problem  and  has  been  ap¬ 
proached  (in  collaboration  with  X.  Qian,  a  Ph.D.  student  specializing  in  databases) 
as  a  problem  of  deduction  in  fluent  theory  [QW8S],  [QiS9j.  A  system  for  the  synthe¬ 
sis  of  database  transactions,  based  on  the  system  described  in  Section  1.5.  has  been 
implemented. 


1.9  The  Frame  Problem 

A  well-known  obstacle  to  the  application  of  situational  logics  to  the  solution  of  prob¬ 
lems  in  planning  and  imperative  program  synthesis  is  the  frame  problem ,  the  odious 
necessity  to  state  explicitly  in  our  theory  whenever  a  given  operation  can  have  no 


effect  on  a  given  relation.  This  places  a  heavy  burden  on  the  person  specifying  the 
background  theory,  because,  particularly  in  planning  applications,  most  operations 
may  be  regarded  as  independent  of  most  relations,  furthermore,  the  numerous  frame 
axiom s  that  express  these  properties  may  overload  the  strategic  capacities  of  the 
system,  because  they  have  numerous  irrelevant  consequences. 

There  is  an  active  body  of  research  on  nonmonotonic  reasoning  [GiS7],  in  which 
one  acknowledges  that  the  background  theory  and  its  deduction  rules  are  only  an 
approximation  to  the  truth,  and  introduces  the  possibility  of  retracting  deductions 
when  discrepancies  arise.  In  such  a  system,  it  is  possible  to  state  an  overly  general 
frame  axiom,  such  as  that  no  operation  has  any  effect  on  any  relation.  Some  con¬ 
sequences  of  this  axiom  will  be  false,  but  may  be  retracted  when  they  are  found  to 
contradict  other  axioms  or  conclusions. 

The  field  of  nonmonotonic  reasoning  is  still  in  flux,  and  there  is  no  general  agree¬ 
ment  as  to  how  to  proceed.  Although  we  benefit  from  the  results  of  this  research,  we 
have  not  addressed  these  problems  ourselves.  We  include  a  correct  description  of  the 
world,  including  the  frame  axioms,  in  our  background  theory. 

The  second  aspect  of  the  frame  problem,  as  we  have  remarked,  is  the  strategic 
burden  of  dealing  with  the  numerous  consequences  of  the  frame  axioms.  We  have 
found  it  advantageous  to  build  these  fra.me  properties  into  the  deduction  rules,  rather 
than  expressing  them  declaratively  as  assertions,  just  as  we  have  done  for  transitivity 
and  other  troublesome  properties.  One  may  incorporate  these  properties  into  the 
special  relation  rules  [MW86]  or  as  theory  attachments  to  other  rules  [St85] .  The 
upshot  is  that  frame  properties  will  not  be  invoked  unless  they  are  appropriate. 

1.10  The  Logical  Basis  for  Computer  Programming 

A  good  deal  of  our  time  has  been  devoted  to  the  completion  of  the  second  (and 
final)  volume  of  our  book  (with  Zohar  Manna),  The  Logical  Basis  for  Computer  Pro¬ 
gramming.  This  volume  provides  an  elementary  exposition  of  the  deductive-tableau 
framework  and  its  application.  It  also  provides  an  exceptionally  clear  introduction 
to  many  of  the  topics  basic  to  the  understanding  of  automated  deduction,  including 
well-founded  induction,  skolemization.  and  unification.  The  book  is  published  by 
Addison-Weslev;  Volume  II  appeared  in  late  1989. 


1.11  Current  Status  and  Publications 

With  the  help  of  our  ONR  support  we  have  accomplished  the  following: 

•  Development  of  a  modified  situational  logic,  called  fluent  theory,  for  the  deriva¬ 
tion  of  imperative  programs 
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•  Adaptation  of  fluent  theory  to  planning 

•  Extension  of  the  deductive-tableau  framework  to  produce  fluent  theory  proofs 

•  Implementation  of  an  interactive  system  to  prove  theorems  and  derive  programs 
within  the  deductive-tableau  framework 

•  Application  of  fluent  theory  to  the  derivation  of  database  transaction  programs 

•  Completion  of  Volume  II  of  The  Logical  Basis  for  Computer  Programs 

•  Preliminary  design  of  a  semiautomatic  system  for  planning,  imperative  program 
synthesis,  and  theorem  proving 

2  Publications 

All  of  our  technical  reports  have  been  published  in  journals  or  conference  proceed¬ 
ings.  A  paper  on  fluent  theory  and  its  application  to  imperative  program  synthe¬ 
sis,  “The  Deductive  Synthesis  of  Imperative  LISP  Programs,”  was  presented  at  the 
19S7  National  Conference  on  Artificial  Intelligence,  and  appeared  in  the  proceedings 
[MWS7b].  A  description  of  the  application  of  fluent  theory  to  planning  problems. 
“How  to  Clear  a  Block:  A  Theory  of  Plans,”  was  presented  (in  parts)  at  various 
workshops  and  appears  in  the  Journal  of  Automated  Reasoning  [MWS7c]. 

A  description  of  the  applicat  ion  of  fluent  theory  to  database  management  [QWSS], 
“A  Transaction  Logic  for  Database  Specification,”  appears  in  the  proceedings  of  SIG- 
MOD’SS.  The  work  is  described  more  fully  in  the  Stanford  University  Ph.D.  Thesis  of 
Xiaolei  Qian  [QiS9] .  A  response  [WaS7]  to  Drew  McDermott’s  critique  on  deductive 
methods,  “The  Bomb  in  the  Toilet,”  appears  in  Computational  Intelligence  (19S7).  A 
basic  introduction  to  the  deductive-tableau  method  and  a  typical  example  of  its  ap¬ 
plication,  “The  Origin  of  a  Binary-Search  Paradigm,”  appears  in  the  journal  Science 
of  Computer  Programming  [MWS7aj.  The  Logical  Basis  for  Computer  Programming, 
Volume  II:  Deductive  Systems,  was  published  by  Addison- Wesley  [MW90]. 
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